A University of Maine physics professor who compromised the personal information of more than 600 current and former students when his laptop was stolen violated a university policy that prohibits professors and other employees from having students’ Social Security numbers stored on any electronic devices.

“This is something we have regularly warned our faculty of,” said John Forker, chief information security officer for the University of Maine System. Forker noted that all system employees receive annual online computer-security training that spells out the policies.

After an incident like this, he said, “We all kind of look introspectively and say, ‘How did this happen?’ ”

Although it was once common for universities to use Social Security numbers to identify students, the UMaine System stopped the practice in 2007 and began assigning unique student ID numbers.

The system office does not have a central inventory of all university-issued laptops, although officials at each campus keep track of their computers. University officials in Orono say they have issued 600 laptops and tablets to faculty there.

Forker said the laptop, which was stolen from checked baggage on a Feb. 10 flight from Seattle to Boston, contained the information because the professor had class lists from before 2007.

Advertisement

The laptop had names, Social Security numbers, phone numbers, email addresses, grade data and course information for 604 students enrolled from 1999 to 2007, and the names and course information of another 337 current and former students, said UMaine spokeswoman Margaret Nagle.

The computer was password-protected, but the sensitive student data was on a removable media card that was not encrypted.

DETERMINING WHY IT HAPPENED

Nagle would not say whether there would be repercussions for the faculty member, who was not identified, saying it was a personnel issue. Initially, officials wouldn’t say whether the professor was supposed to have the student information on the laptop when the security breach was revealed Wednesday.

Forker said Thursday that he didn’t think the professor acted intentionally.

“We need to ask: How did that happen? Was he not aware of the policy? Were we not explicit enough? Or was he not aware of what was on his machine?” said Forker, who is responding to the theft by initiating a campaign to educate workers about security policies.

Advertisement

“Where I think the hole is … we could have been more explicit, and we will be more explicit, in telling them to review old data for any potential problem. We haven’t done that explicitly,” he said.

Forker plans to beef up the annual training to emphasize that older student data might have Social Security numbers, but he did not propose new, more stringent protocols, such as periodically checking university-issued hardware to see if employees are following university policy.

Chief Information Officer Dick Thompson said the school was offering credit protection to the affected students.

“We don’t shun our responsibility. We don’t like that this happened,” Thompson said.

VULNERABILITIES AT UNIVERSITIES

The security breach at UMaine is not unusual for universities. Nationwide, there have been at least 748 security breaches at educational institutions in the past 10 years, a rate of more than one a week, according to Privacy Rights Clearinghouse, a nonprofit that tracks security breaches in multiple industries.

Advertisement

Public universities can be particularly vulnerable to security breaches, said Lee Tien, a senior staff attorney with the Electronic Frontier Foundation, a San Francisco-based digital rights group.

“There’s a lot of people, a lot of devices connecting to their networks,” Tien said. “It’s an academic institution and that is going to make it a much harder place to defend.”

Losing a laptop, Tien said, is a “very, very common” type of security breach.

“The headlines tend to be dominated by some bad guy came in and did something,” like the Sony hack, he said. “But many of the data breaches are incidents like this, where they’re not even sure whether there was a bad guy at all.”

With hardware theft, many times the thief just intends to sell the device and isn’t interested in the information stored on it, he said.

PAST BREACHES, CURRENT ATTACKS

Advertisement

The UMaine System has had previous data or security breaches:

n An unknown number of records were compromised when someone broke into a University of Southern Maine van on Oct. 21, 2013, and stole campus keys, providing access to nearly 50 Portland and Gorham campus buildings. The university replaced locks on the affected buildings, assigned extra police to some buildings, and notified faculty, staff and students of the incident, encouraging them to shut down electronic devices after using them. No data was stolen as a result of the incident, officials said Thursday.

n In May 2012, UMaine’s server was breached by hackers through Computer Connection, a computer store that primarily served UMaine. The data accessed included 2,818 “unique identifiers,” including as many as 435 credit card numbers and 1,175 Social Security numbers.

n On June 29, 2010, hackers compromised the personal information of 4,585 students at UMaine who received services from the counseling center between Aug. 8, 2002, and June 2, 2010, including names, Social Security numbers and clinical information. Forensic analysis later revealed that no personal data was uploaded or shared.

Forker said the university system increased server security after the 2012 attack. Today, student Social Security numbers are used in some way, such as for admissions and financial aid, but the information is kept in secured areas, Forker said, and only certain university employees have access.

“Our systems are being pounded every day by someone on the outside,” he said, referring to hackers testing the system security. “They just aren’t getting through.”

Advertisement

DATA SECURITY EFFORTS BEEFED UP

In early 2011, the system trustees approved the creation of an information security policy and the Office of Information Security dedicated to network and systems security across the university system. The office conducts monthly, sometimes weekly, scanning to check for vulnerability on more than 1,500 server systems.

The university system began annual security training for faculty and staff in 2012, and hired outside contractor Solutionary to provide intrusion detection equipment to monitor campus networks.

Forker even sends out fake “phishing” emails to system employees. If they click on the link, a message from their office pops up to tell them they just fell for a common scam and they need to be more careful.

The university system’s general counsel reported the laptop theft to the Maine Attorney General’s Office, a requirement of the state’s Notice of Risk to Personal Data Act. The theft was also reported to the airline and Massachusetts State Police.


Only subscribers are eligible to post comments. Please subscribe or login first for digital access. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.